A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=master 2026-04-20T04:35:00+00:00 2026-04-20T04:35:00+00:00 tb 2026-04-20T04:35:00+00:00 urn:sha1:f3c98c4260211cd04d3000ea841e87b85618fda0 from bcook kenjiro 2026-04-16T07:35:25+00:00 tb 2026-04-16T07:35:25+00:00 urn:sha1:8662e35dbd36d8450a6d4c7188a65c580e4b339f Use tls_set_errorx() or tls_error_setx() rather than the versions without x for TLS_ERROR_OUT_OF_MEMORY. ENOMEM adds no further info. From Michael Forney ok bcook 2026-04-16T07:33:11+00:00 tb 2026-04-16T07:33:11+00:00 urn:sha1:8dfa678933bc42faeff1d9406e589c16fac7f60e tls_config_load_file() hat a spot that used TLS_ERROR_UNKNOWN, so switch that to the usual error code. Use tls_error_setx() since strerror(ENOMEM) adds nothing. From Michael Forney ok bcook 2026-04-16T07:29:53+00:00 tb 2026-04-16T07:29:53+00:00 urn:sha1:03c4722ecfb4116b7f9fd10b6a216287a7ecf24d This is the only place where tls_error_set() was used. While the new length check now guarantees that the failure is due to ENOMEM, this info does not add value. From Michael Forney ok bcook 2026-04-16T07:28:00+00:00 tb 2026-04-16T07:28:00+00:00 urn:sha1:4ab01251a636fac40d8a39e8cc3ba506580aa79b If a check fails and errno is not necessarily set by the previous API call use tls_set_errorx() or tls_error_setx() since turning an unrelated errno into an error string is unhelpful. From Michael Forney ok bcook 2026-04-16T05:16:48+00:00 tb 2026-04-16T05:16:48+00:00 urn:sha1:d680a6fb78c5f1a30a0d45de7b989cee9631652a Like all proper libcrypto APIs, BIO_new_mem_buf() takes an int as a length argument. Check the size_t passed in to be at most INT_MAX to avoid issues with truncation and overflow like it's done everywhere else. After release this should probably be clamped down further since legitimate files (certs and keys) are nowhere near this large. Prompted by a diff by Michael Forney ok jsing 2026-03-28T11:49:31+00:00 tb 2026-03-28T11:49:31+00:00 urn:sha1:f3cceccc18dfd4f96044df85f30c117f39b9cc9f The API to look up a cert by subject or issuer name clearly only needs to do name comparisons in a collection of certs so should by all means take a const X509_NAME * as an argument. However, this isn't all that easy to do and hence it's only in OpenSSL 4 that this obvious step was reached. This means that there is no way around casting for older code. One could cast the return value of X509_get_issuer_name() or the argument passed to the two lookups by subject. jsing slightly prefers the second approach, so this is what we do here. ok djm jsing kenjiro 2026-03-28T11:33:33+00:00 tb 2026-03-28T11:33:33+00:00 urn:sha1:cb80f3489708580ad1f1d4b027d1c0b23fa3f15a After the const sprinkling in OpenSSL 1.1, X509_get_{issuer,subject}_name() still returned a non-const pointer for unclear reasons. In OpenSSL 4, the return value also grew a const qualifier, so move the two "name" in tls_conninfo.c and the "subject_name" in tls_verify.c to const. They are only used for further processing by already const correct functions (at least as far as X509_NAME is concerned). ok djm jsing kenjiro 2026-03-10T05:26:04+00:00 deraadt 2026-03-10T05:26:04+00:00 urn:sha1:71927d7dd981f6e0a9705dd2ddf5bc60abfbaeab 2025-10-24T11:38:06+00:00 tb 2025-10-24T11:38:06+00:00 urn:sha1:517a853e33fbf7b2eac199a98fc31c6c39a4080e